Risk assessment pitfalls

I’ve been doing risk assessment work for about 14 years. In that time I’ve evolved my process from somewhat of a basic checklist routine to today’s deep dive into understanding an organization’s major apps and the IT controls used to protect the sensitive data within the apps. Most organizations need a 3rd party to assess their risk on a periodic basis. It’s good business practice—and often a regulatory compliance requirement—to get an objective outside view of how well you’re executing your security program.

Hopefully your 3rd party assessor is doing the deep dive method.

Unfortunately too often I am still hearing about well known vendors offering paltry security “analysis” that allows companies to put a check mark next to the “Perform Security Assessment” entry in their project management. Recently I heard from a client that one well-known vendor in the DC region simply “drops a box” onto your premises and scans and probes (whatever that means) for a week or so. Then they produce a boilerplate report and an $80K invoice. But it gets worse. The vendor then tries to sell a plethora of hardware and software for you to fix your “problems.” I joke not.

The evolution of the security assessment beyond checklists is important because the risks are frankly steeper due to the sheer number of things that can go awry. Threats today are far more sophisticated and constantly morphing. Internet use isn’t just a nice to have but a requirement. People are working from all sorts of places and most carry around tiny little devices often containing business data. Cloud technologies and social media make it easy to lose control of data.

You don’t want a vendor that over simplifies the enormity of the risk assessment job only to turn around and sell you widgets after the fact.

When you pick a risk assessor, make sure you understand what drives them. Do they do risk assessments AND sell products? If so, beware because those folks have a vested interest in finding faults that can be conveniently fixed with, guess what, something they sell! Now, let me say that I have opinions on products. Some products are awesome at solving problems. Some are complete garbage. When I like a product for its risk reduction features, does being enthusiastic about it and recommending it detract from my vendor neutrality? Is it OK when I draw a line in the sand when I say, “Box A is the best solution today (IMHO) to solve your problem and reduce your risk.”

I believe I am vendor neutral because I’m not under the gun to make a sales quota from a big manufacturer. I have opinions and I share them. In fact my clients regularly ask me what they should do or buy to fix an issue. I know in my heart the things I recommend are effective and if that manufacturer ever starts to go the other direction, I’ll drop them like a hot potato.

Therefore, make sure the people doing your security assessments have sophisticated analysis processes and also don’t have contracts with hardware and software manufacturers. This gives you the best results over time.